Hello,
A security scan on a mobile application identified multiple vulnerabilities affecting the LibPNG library.
Affected CVEs:
- CVE-2025-64720
- CVE-2025-65018
- CVE-2025-66293
- CVE-2026-22801
These vulnerabilities are related mainly to out-of-bounds read/write, heap buffer overflow, and integer truncation issues during PNG image parsing and processing.
Current situation:
- The application uses LibPNG version 1.6.43
- Security scanners report that LibPNG < 1.6.54 is affected by the CVEs listed above
- Image decoding relies on LibPNG for PNG parsing and processing
- LibPNG is not installed in our app; it is included indirectly as a dependency of the Flutter framework (through its underlying graphics stack).
- The LibPNG version cannot be updated independently by the application, as it is managed by Flutter and its native dependencies
Impact and Severity:
-
The vulnerabilities may lead to:
- Application crash (Denial of Service)
- Memory corruption
- Potential code execution in specific exploitation scenarios
-
Exploitation generally requires processing of crafted PNG image files
-
The attack vector is remote, with user interaction required (loading a malicious PNG)
-
Severity ranges from MEDIUM to HIGH, depending on the CVE and execution context
-
No widespread public exploits are currently known for these CVEs, but exploitation is technically feasible
Questions:
- Is there a planned update of the Flutter Engine that includes a LibPNG version equivalent to or newer than upstream 1.6.54, addressing the listed CVEs?
- Given that LibPNG is an internal Flutter dependency and cannot be updated independently by the application, what is the recommended remediation strategy to address these CVEs?
- Are there any official mitigations or configuration recommendations that can be applied at application or framework level until an updated Flutter Engine is available?
References:
Hello,
A security scan on a mobile application identified multiple vulnerabilities affecting the LibPNG library.
Affected CVEs:
These vulnerabilities are related mainly to out-of-bounds read/write, heap buffer overflow, and integer truncation issues during PNG image parsing and processing.
Current situation:
Impact and Severity:
The vulnerabilities may lead to:
Exploitation generally requires processing of crafted PNG image files
The attack vector is remote, with user interaction required (loading a malicious PNG)
Severity ranges from MEDIUM to HIGH, depending on the CVE and execution context
No widespread public exploits are currently known for these CVEs, but exploitation is technically feasible
Questions:
References: